Privacy Policy
Effective date: 21 May 2026
1. Who We Are
The Adverse Events reporting service (“Service”, “we”, “us”, or “our”) is operated by Dr Sean Hall, based in Australia. Dr Sean Hall is the data controller responsible for personal information collected through this Service.
Contact: drsmhall@gmail.com
2. Information We Collect
When you submit an adverse event report, we collect the following categories of information:
Reporter information
- Full name and email address (required)
- Phone number (optional)
- Relationship to the patient (e.g., self, carer, healthcare professional)
- Professional credentials, registration number, and institution (for healthcare professional reports)
- Country of occurrence
Patient information
- Initials, date of birth, sex, and weight
- Patient information is not mandatory for consumer reports but may be provided
Product and reaction information
- Suspect product name(s), dose, indication, and duration of use
- Description, onset date, severity, and outcome of the adverse reaction
- Seriousness criteria, concomitant products, MedDRA reaction terms, and causality assessment
- Any additional information you choose to provide
Technical information
- Submission timestamp, a unique reference number, and form type (public or professional)
- We do not collect IP addresses, cookies, or browsing data beyond what is incidentally logged by our hosting infrastructure
3. Special Category Data
Health and medical information is “special category” (or “sensitive”) personal data under the EU General Data Protection Regulation (GDPR), the Australian Privacy Act 1988, and equivalent laws. This includes information about a patient’s diagnosis, symptoms, and reaction outcomes.
We process this data on the following legal bases:
- Explicit consent (GDPR Art. 9(2)(a); Privacy Act s 16A): You provide this data voluntarily and by submitting the form you expressly consent to our processing it for the purposes described in this Policy.
- Public interest in public health (GDPR Art. 9(2)(i)): Pharmacovigilance reporting serves the public interest in monitoring the safety of medicines and health products.
- Scientific research (GDPR Art. 9(2)(j)): Data may be processed for research and statistical purposes subject to appropriate safeguards.
4. How We Use Your Information
We use the information collected for the following purposes:
- Processing and reviewing reports: We review submissions for clinical completeness, plausibility, and quality before forwarding.
- Regulatory forwarding: Completed reports, including identifying information, may be transmitted to national or international regulatory authorities in the jurisdiction where the reaction occurred.
- Follow-up correspondence: We may contact you using the email address provided to request clarification or additional information about your report.
- Research and trend analysis: Report data — which may be in identified, pseudonymised, or de-identified form — may be used for life sciences research, epidemiological surveillance, health policy analysis, and sociodemographic trend studies.
- Aggregate and public reporting: We may publish de-identified, aggregated statistics or summaries derived from report data.
- Service improvement: We may use aggregate, anonymised data to improve the form design, fields, and usability of the Service.
5. Sharing Your Information with Third Parties
We do not sell personal information. We may share your information in the following circumstances:
Regulatory authorities
Reports may be forwarded, in full or in part, to national pharmacovigilance authorities including but not limited to: the FDA (USA), TGA (Australia), MHRA (UK), Health Canada, the European Medicines Agency (EMA), and the NMPA (China). The authority to which a report is forwarded is generally determined by the country in which the reaction occurred. These authorities are independent controllers and process the data under their own privacy frameworks and legal obligations.
Research collaborators
Identified or pseudonymised data may be shared with academic, clinical, or public health researchers under data sharing agreements that include appropriate confidentiality and security obligations, and subject to applicable ethics or review board requirements.
Infrastructure and service providers
We use Supabase (database hosting) and Vercel (application hosting) as technical infrastructure. These providers process data on our behalf under their own data processing agreements and do not use your data for their own purposes.
Legal obligations
We may disclose information if required to do so by law, court order, or governmental authority, or where we believe disclosure is necessary to protect the rights, property, or safety of any person.
6. International Data Transfers
Because this Service accepts reports from and may forward reports to authorities in multiple countries, your personal data may be transferred to, stored in, and processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your jurisdiction.
For transfers from the European Economic Area (EEA) to third countries, we rely on applicable transfer mechanisms (including standard contractual clauses or adequacy decisions) to the extent required. For transfers to regulatory authorities, such transfers are necessary for reasons of public interest under GDPR Art. 49(1)(d).
7. Data Retention
We retain adverse event reports for a minimum of 10 years from the date of submission, consistent with international pharmacovigilance guidelines (including ICH E2E) and applicable regulatory requirements. Where a longer retention period is required by law or regulation, we will retain data for that longer period.
Data used for research or trend analysis may be retained indefinitely in de-identified or pseudonymised form. Identified data used for research is retained only for as long as necessary for the specific research purpose.
8. Your Rights
Depending on your jurisdiction, you may have the following rights in relation to your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate data.
- Erasure: Request deletion of your data, subject to our legal and regulatory retention obligations.
- Restriction: Request that we restrict processing of your data in certain circumstances.
- Portability: Receive your data in a structured, machine-readable format (where technically feasible).
- Objection: Object to processing based on legitimate interests or for direct marketing (we do not conduct direct marketing).
- Withdraw consent: Where processing is based on consent, withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
Please note that once a report has been forwarded to a regulatory authority, we cannot require that authority to amend or delete the data — the authority holds that data under its own legal framework.
To exercise any of these rights, contact us at drsmhall@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.
9. California Residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA, including the right to know what personal information is collected and sold, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your rights.
To make a verifiable consumer request, contact us at drsmhall@gmail.com.
10. Children's Privacy
The Service is not directed to children under the age of 18. We do not knowingly collect personal information directly from children. A report may include information about a child patient; in such cases the report must be submitted by a parent, guardian, or healthcare professional with appropriate authority.
11. Security
We implement reasonable technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include encrypted data transmission (TLS), row-level security on our database, and restricted access to production systems.
No method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but will notify affected individuals and relevant authorities in the event of a data breach as required by applicable law.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The effective date at the top of this page reflects the most recent revision. We encourage you to review this Policy periodically. Continued use of the Service after any change constitutes acceptance of the revised Policy.
13. Contact and Complaints
For any questions, concerns, or requests relating to this Privacy Policy or our data practices, contact us at: drsmhall@gmail.com
If you are in Australia and believe we have not complied with the Privacy Act 1988, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au. If you are in the EU/EEA, you may contact your national data protection authority.